Electronic control apparatus, monitoring method, recording medium, and gateway apparatus

ABSTRACT

An electronic control apparatus includes: an obtaining unit configured to obtain data transmitted via a network in a system; and a judging unit configured to judge presence or absence of an anomaly in the data obtained by the obtaining unit, based on a transmission state of the data. The judging unit is configured to judge that an anomaly is present in the data, when the transmission state of the data is a transmission stopped state.

CROSS REFERENCE TO RELATED APPLICATION

The present application is based on and claims priority of JapanesePatent Application No. 2018-114969 filed on Jun. 15, 2018. The entiredisclosure of the above-identified application, including thespecification, drawings and claims is incorporated herein by referencein its entirety.

FIELD

The present disclosure relates to an electronic control apparatus, amonitoring method, a recording medium, and a gateway apparatus.

BACKGROUND

A monitoring apparatus that monitors the network in mobility, such as anautomobile, etc, has been studied. For example, Patent Literature 1discloses the technique of determining fraud in an electronic controlunit communicatively coupled to a bus in-vehicle network. In thetechnique of Patent Literature 1, when a message to an electroniccontrol unit is an anomalous message transmitted in a differenttransmission cycle from a predetermined transmission cycle, thetechnique causes the electronic control unit which is supposed to be thetransmission source of the message to stop transmitting the message.Furthermore, in the technique of Patent Literature 1, when an anomalousmessage is received even when the electronic control unit that is thetransmission source of the message is in the stopped state, it isdetermined that an electronic control unit that spoofs any one ofelectronic control units is present.

CITATION LIST Patent Literature Patent Literature 1

Japanese Unexamined Patent Application Publication No. 2016-129314

SUMMARY Technical Problem

In Patent Literature 1, an anomaly in a message is judged based on ananomaly in the transmission cycle of the message. However, there may bea case where the spoofing electronic unit transmits an anomalous messageof which the transmission period is normal. Therefore, the technique ofPatent Literature 1 may not be enough for monitoring an anomaly in datasuch as messages.

The present disclosure provides an electronic control apparatus, amonitoring method, a recording medium, and a gateway apparatus thatimprove the accuracy of detecting an anomaly in data in a network.

Solution to Problem

An electronic control apparatus according to an exemplary and nonlimiting aspect of the present disclosure includes: an obtaining unitconfigured to obtain data transmitted via a network in a system; and ajudging unit configured to judge presence or absence of an anomaly inthe data obtained by the obtaining unit, based on a transmission stateof the data. The judging unit is configured to judge that an anomaly ispresent in the data, when the transmission state of the data is atransmission stopped state.

A monitoring method according to an exemplary and non limiting aspect ofthe present disclosure includes: obtaining data transmitted via anetwork in a system; and judging that an anomaly is present in the dataobtained, when a transmission state of the data is a transmissionstopped state.

A non-transitory computer-readable recording medium for use in acomputer according to an exemplary and non limiting aspect of thepresent disclosure is a non-transitory computer-readable recordingmedium for use in a computer, the non-transitory computer-readablerecording medium having a computer program recorded thereon for causingthe computer to execute: obtaining data transmitted via a network in asystem; and judging that an anomaly is present in the data obtained,when a transmission state of the data is a transmission stopped state.

A gateway apparatus according to an exemplary and non limiting aspect ofthe present disclosure includes: an obtaining unit configured to obtaindata transmitted via a network in a system; a judging unit configured tojudge that an anomaly is present in the data obtained by the obtainingunit, when a transmission state of the data is a transmission stoppedstate; and a transfer unit configured to stop transferring the data,when the judging unit judges that the anomaly is present in the data.

These general and specific aspects may be implemented using a system, anapparatus, a method, an integrated circuit, a computer program, or acomputer-readable recording medium such as a recording disk, or anycombination of systems, apparatuses, methods, integrated circuits,computer programs, or computer-readable recording media. Thecomputer-readable recording medium includes, for example, a non-volatilerecording medium such as a compact disc-read only memory (CD-ROM).

Advantageous Effects

The technique according to the present disclosure makes it possible toimprove the accuracy of detecting an anomaly in data in a network.

BRIEF DESCRIPTION OF DRAWINGS

These and other objects, advantages and features of the disclosure willbecome apparent from the following description thereof taken inconjunction with the accompanying drawings that illustrate a specificembodiment of the present disclosure.

FIG. 1 is a block diagram illustrating an example of a functionalconfiguration of an in-vehicle network system including a monitoringapparatus according to Embodiment 1.

FIG. 2 is a block diagram illustrating an example of functionalconfiguration of the monitoring apparatus according to Embodiment 1.

FIG. 3 is a table illustrating an example of relationships between dataIDs and transmission states according to Embodiment 1.

FIG. 4 is a table illustrating another example of the relationshipsbetween data IDs and transmission states according to Embodiment 1.

FIG. 5A is a table illustrating still another example of therelationships between data IDs and transmission states according toEmbodiment 1.

FIG. 5B is a table illustrating yet another example of the relationshipsbetween data IDs and transmission states according to Embodiment 1.

FIG. 6 is a table illustrating an example of the relationships betweendata IDs and transmission states in which some of the transmissionstates have been changed from the transmission states in FIG. 3.

FIG. 7 is a flowchart illustrating an example of a procedure ofoperations of the monitoring apparatus according to Embodiment 1.

FIG. 8 is a block diagram illustrating an example of a functionalconfiguration of a monitoring apparatus according to Embodiment 2.

FIG. 9 is a table illustrating an example of relationships between dataIDs and transmission states according to Embodiment 2.

FIG. 10 is a flowchart illustrating an example of a procedure ofoperations of the monitoring apparatus according to Embodiment 2.

FIG. 11 is a block diagram illustrating an example of a functionalconfiguration of a monitoring apparatus according to Embodiment 3.

FIG. 12 is a block diagram illustrating an example of a functionalconfiguration of a monitoring apparatus according to Embodiment 4.

FIG. 13 is a block diagram illustrating an example of a functionalconfiguration of a monitoring apparatus according to a variation ofEmbodiment 1.

DESCRIPTION OF EMBODIMENTS

The inventors of the present disclosure have examined a technique ofmonitoring a network in mobility, such as an automobile. The mobility isalso called a moving object and includes various movable devices. Themobility may be a moving object capable of carrying people, may be amoving object capable of carrying articles, or may be a moving objectthat carries neither people nor articles. Examples of the mobilityinclude a vehicle, a flying object, a ship, and a robot. Examples of thevehicle include an automobile, a track, a bus, a two-wheeled vehicle, atracked or trackless train, a conveyance vehicle, and an industrialvehicle such as a construction machine and a cargo handling machine.Examples of a flying object include an airplane, an airship, and adrone.

An information processor (also called a “signal processor”) which is anapparatus communicatively coupled to the network in mobility may receivean attack from outside of the network, and its function may be changed.In view of the above, the inventors of the present disclosure haveexamined a technique of monitoring the network by detecting anomalousdata outputted from an information processor that has received such anattack.

There are various cases of attacks. A first case is a case where anintruder entering the network spoofs an authorized information processorand transmits camouflage data, while the authorized informationprocessor continues to periodically transmit normal data to the network.In this case, the normal data and the camouflage data of the informationprocessor coexist in the network under attack. In the presentspecification, the attack in the first case is called a “camouflage dataattack while authorized data coexists”.

A second case is a case where an intruder entering the network transmitsa camouflage diagnostic command to an authorized information processor,stops the authorized information processor, and transmits camouflagedata instead of normal data. A third case is a case where an intruderentering the network forges a firmware of an authorized informationprocessor such that it transmits camouflage data instead of normal data.A fourth case is a case where an intruder entering the network forges arouting program of a relay apparatus, such as a gateway, that relays thenetwork, stops the relay, and transmits camouflage relay data instead ofnormal relay data. In the second through fourth cases, the transmissionof the normal data by the authorized information processor issuppressed, and only the camouflage data are present in the networkunder attack. In the present specification, the attacks in the secondthrough fourth cases are each called a “camouflage data attack whileauthorized data is suppressed”.

In the camouflage data attack while authorized data coexists, since thenormal data and the camouflage data of the authorized informationprocessor coexist, the output cycle of the data differs from a propercycle during the attack. In the camouflage data attack while authorizeddata is suppressed, camouflage data is present as a replacement for thenormal data of an authorized information processor. Thus, the outputcycle of the data sometimes does not differ from the proper cycle evenduring the attack. Although the technique of Patent Literature 1 candetect an anomaly in the data under the camouflage data attack whileauthorized data coexists, Patent Literature 1 cannot detect an anomalyin data under the camouflage data attack while authorized data issuppressed. Thus, the technique of Patent Literature 1 cannotsufficiently monitor anomalies in data. In view of the above, theinventors of the present disclosure have examined a technique that makesit possible to detect an anomaly in data due to the camouflage dataattack while authorized data is suppressed, and have conceived thefollowing technique.

For example, an electronic control apparatus according to one aspect ofthe present disclosure includes: an obtaining unit configured to obtaindata transmitted via a network in a system; and a judging unitconfigured to judge presence or absence of an anomaly in the dataobtained by the obtaining unit, based on a transmission state of thedata. The judging unit is configured to judge that an anomaly is presentin the data, when the transmission state of the data is a transmissionstopped state.

According to the above aspect, the electronic control apparatus judgesthat an anomaly is present in data when the data whose transmissionstate is the transmission stopped state is obtained. Such an electroniccontrol apparatus can detect an anomaly in data, not only when the datais forged with change in the output cycle, but also when the data isforged without change in the output cycle. Thus, such an electroniccontrol apparatus makes it possible to improve the detection accuracy ofan anomaly in data in the network.

The electronic control apparatus according to one aspect of the presentdisclosure may further includes: a determination unit configured todetermine, based on the data obtained by the obtaining unit, thetransmission state of the data.

In the electronic control apparatus according to one aspect of thepresent disclosure, the determination unit may determine, based on firstdata obtained by the obtaining unit, a transmission state of second datawhose transmission source is an information processor that is adestination of the first data, and the judging unit may judge that ananomaly is present in the second data, when the transmission state ofthe second data obtained by the obtaining unit is the transmissionstopped state.

According to the above aspect, the electronic control apparatusdetermines the transmission state of the data transmitted from theinformation processor, based on the first data transmitted to theinformation processor. The electronic control apparatus manages thetransmission state of data for each information processor. Thus, theelectronic control apparatus enables highly accurate and simpledetection of an anomaly in data in the network.

In the electronic control apparatus according to one aspect of thepresent disclosure, the first data includes an instruction instructingthe information processor to execute or stop transmission of data, andthe determination unit may determine that the transmission state of thesecond data is a transmission execution state or the transmissionstopped state in accordance with the instruction included in the firstdata.

According to the above aspect, the electronic control apparatusdetermines the transmission state of the data transmitted from theinformation processor in accordance with the instruction included in thefirst data. Thus, the process of determining a transmission state can besimplified.

In the electronic control apparatus according to one aspect of thepresent disclosure, when third data cyclically outputted by aninformation processor communicatively coupled to the network is notobtained for a predetermined period, the determination unit maydetermine that a transmission state of the third data is thetransmission stopped state; and when the transmission state of the thirddata obtained by the obtaining unit is the transmission stopped state,the judging unit may judge that an anomaly is present in the third data.

According to the above aspect, when the third data is not obtained bythe obtaining unit for a predetermined period, the third data can beconsidered as being in the transmission stopped state. The electroniccontrol apparatus judges that an anomaly is present in the third data,when such third data whose transmission state is the transmissionstopped state is obtained. The electronic control apparatus can detectan anomaly in data, not only when the data is forged with change in theoutput cycle, but also when the data is forged without change in theoutput cycle.

In the electronic control apparatus according to one aspect of thepresent disclosure, when third data cyclically outputted by aninformation processor communicatively coupled to the network is notobtained for a predetermined period, the determination unit maydetermine that a transmission state of fourth data is the transmissionstopped state, the fourth data being different from the third data whosetransmission source is the information processor, and when thetransmission state of the fourth data obtained by the obtaining unit isthe transmission stopped state, the judging unit may judge that ananomaly is present in the fourth data.

According to the above aspect, the electronic control apparatusdetermines, based on the third data that is transmittable from theinformation processor, the transmission state of another data that ispossibly outputted by the information processor. The electronic controlapparatus manages the transmission state of data for each informationprocessor. Thus, the electronic control apparatus enables highlyaccurate and simple detection of an anomaly in data in the network.

In the electronic control apparatus according to one aspect of thepresent disclosure, the determination unit may determine that thetransmission state of the fourth data is a transmission execution stateor the transmission stopped state in accordance with an instructionincluded in fifth data whose destination is the information processor,the fifth data includes the instruction instructing the informationprocessor to execute or stop transmission of data, and when thetransmission state of the fourth data obtained by the obtaining unit isthe transmission stopped state, the judging unit may judge that ananomaly is present in the fourth data.

According to the above aspect, the electronic control apparatusdetermines that data is in the transmission stopped state in both caseswhere the data is not obtained for a predetermined period and where thedata including an instruction for stopping transmission is obtained. Theelectronic control apparatus then judges presence or absence of ananomaly in the data obtained by the obtaining unit based on thetransmission stopped state determined in the above manner. Thus, theelectronic control apparatus makes it possible to improve the accuracyof detecting an anomaly in data.

The electronic control apparatus according to one aspect of the presentdisclosure further includes: a storage unit configured to store, inassociation with one another, i) an information processorcommunicatively coupled to the network, ii) data whose transmissionsource is the information processor, and iii) the transmission state ofthe data whose transmission source is the information processor. Thejudging unit may change the transmission state stored in the storageunit using the transmission state determined by the determination unit,and the judging unit is configured to perform judgment based on thetransmission state stored in the storage unit.

According to the above aspect, the transmission state of data is held inthe storage unit. Since the judging unit performs the judgment using thetransmission state held in the storage unit, the processing of thejudging unit can be simplified.

The electronic control apparatus according to one aspect of the presentdisclosure further includes: a storage unit that stores, in associationwith one another, i) the data transmitted between a plurality ofinformation processors communicatively coupled to the network and ii)the transmission state of the data. The determination unit may changethe transmission state stored in the storage unit using the transmissionstate determined by the judging unit, and the judging unit may performjudgment based on the transmission state stored in the storage unit.

According to the above aspect, the transmission state of data is held inthe storage unit. Since the judging unit performs the judgment using thetransmission state held in the storage unit, the processing of thejudging unit can be simplified.

In the electronic control apparatus according to one aspect of thepresent disclosure, when a power supply of an information processorcommunicatively coupled to the network is in an ON state, the judgingunit may judge that data whose transmission source is the informationprocessor is in a transmission execution state, and when the powersupply of the information processor is in an OFF state, the judging unitmay judge that the data whose transmission source is the informationprocessor is in the transmission stopped state.

According to the above aspect, the number of cases where thetransmission state is determined to be the transmission stopped stateincreases, and thus the electronic control apparatus can improve thedetection accuracy of an anomaly in data.

In the electronic control apparatus according to one aspect of thepresent disclosure, when a state of an information processor is adiagnostic mode or a program updating mode, the determination unit maydetermine that data whose transmission source is the informationprocessor is in the transmission stopped state.

In the electronic control apparatus according to one aspect of thepresent disclosure, the network is a bus network including a pluralityof buses, the electronic control apparatus is provided for a pluralityof buses, and the obtaining unit of the electronic control apparatus mayobtain data from the plurality of buses.

According to the above aspect, the number of electronic controlapparatuses can be reduced, and thus the cost can also be reduced.

In the electronic control apparatus according to one aspect of thepresent disclosure, the network is a bus network including a pluralityof buses, a plurality of electronic control apparatuses are provided forthe plurality of buses, the plurality of electronic control apparatuseseach being the electronic control apparatus, and the obtaining unit ineach of the plurality of the electronic control apparatuses may obtaindata from each of the plurality of buses.

In the above aspect, for example, when the plurality of buses arecommunicatively coupled to one another via a relay apparatus such as agateway, providing the electronic control apparatus for each bus enablesthe electronic control apparatus to monitor the bus while interferencewith processing of the relay apparatus is suppressed. In other words,this allows reliable monitoring of each bus.

A monitoring method according to one aspect of the present disclosure isa monitoring method performed by an electronic control apparatus, themonitoring method including: obtaining data transmitted via a network ina system; and judging that an anomaly is present in the data obtained,when a transmission state of the data is a transmission stopped state.According to the above aspect, effects similar to the effects obtainedwith the electronic control apparatus according to one aspect of thepresent disclosure can be obtained.

A recording medium according to one aspect of the present disclosure isa non-transitory computer-readable recording medium for use in acomputer, the non-transitory computer-readable recording medium having acomputer program recorded thereon for causing the computer to execute:obtaining data transmitted via a network in a system; and judging thatan anomaly is present in the data obtained, when a transmission state ofthe data is a transmission stopped state. According to the above aspect,effects similar to the effects obtained with the electronic controlapparatus according to one aspect of the present disclosure can beobtained.

A gateway apparatus according to one aspect of the present disclosureincludes: an obtaining unit configured to obtain data transmitted via anetwork in a system; a judging unit configured to judge that an anomalyis present in the data obtained by the obtaining unit, when atransmission state of the data is a transmission stopped state; and atransfer unit configured to stop transferring the data, when the judgingunit judges that the anomaly is present in the data.

It should be noted that these general and specific aspects may beimplemented using a system, an apparatus, a method, an integratedcircuit, a computer program, or a computer-readable recording mediumsuch as a recording disk, or, any combination of systems, apparatuses,methods, integrated circuits, computer programs, or computer-readablerecording media. The computer-readable recording medium includes, forexample, a non-volatile recording medium such as a compact disc-readonly memory (CD-ROM). In addition, the apparatus may comprise one ormore apparatuses. When the apparatus comprises two or more apparatuses,the two or more apparatuses may be disposed in a single device, or maybe individually disposed in two or more separate devices. In theSpecification and Claims, “apparatus” means not only a single apparatus,but also a system including a plurality of apparatuses.

Hereinafter, the electronic control apparatus, etc. according to thepresent disclosure are described in detail with reference to thedrawings. Each of the embodiments described below shows a general orspecific example. The numerical values, shapes, structural components,the arrangement and connection of the structural components, steps(processes), the processing order of the steps, etc. shown in thefollowing embodiments are mere examples, and therefore do not limit thescope of the claims of present disclosure. Therefore, among thestructural components in the following embodiments, structuralcomponents not recited in any one of the independent claims aredescribed as arbitrary structural components. In addition, each diagramis a schematic diagram and not necessarily illustrated precisely. Ineach of the diagrams, substantially the same structural components areassigned with the same reference signs, and redundant descriptions willbe omitted or simplified.

Embodiment 1

The following describes a monitoring apparatus 100 according toEmbodiment 1. In the following embodiments, the monitoring apparatus 100is described as one example of the electronic control apparatus, and anapparatus that monitors data in the network in a vehicle. It should benoted that the subject to be monitored by the monitoring apparatus 100is not limited to an in-vehicle network, and may be a network includedin any device.

[1-1. Configuration of Monitoring Apparatus]

The following describes configurations of the monitoring apparatus 100according to Embodiment 1 and surrounding components. FIG. 1 is a blockdiagram illustrating an example of a functional configuration of anin-vehicle network system 1 including a monitoring apparatus 100according to Embodiment 1. The in-vehicle network system 1 includes: anetwork 10, a plurality of information processors 20 communicativelycoupled to the network 10, and the monitoring apparatus 100communicatively coupled to the network 10.

Each of the information processors 20 controls an operation of acorresponding one of the devices in a vehicle, which are notillustrated. An example of each information processor 20 is anelectronic control unit (ECU). Examples of the devices controlled by theinformation processors 20 include a driving apparatus in a vehicle, anaccessory apparatus of the vehicle, and an external interface includedin the vehicle. Examples of the driving apparatus include, but notlimited to, an ignition apparatus, various meters, a transmission,antilock brake system (ABS), an engine, a parking assistance apparatus.Examples of the accessory apparatus include, but not limited to, anelectronic mirror, an air conditioner, an in-vehicle camera, a doorlocking apparatus, a power window. Examples of the external interfaceinclude, but not limited to, a head unit that includes a display such asa touch panel and receives an input from a user, an on-board diagnostics(OBD) unit that outputs a result of self-diagnosis of the vehicle, acommunication module, a navigation system.

The information processors 20 and the monitoring apparatus 100 arecommunicatively coupled to the network 10. The network 10communicatively couples the information processors 20 to one another,and further communicatively couples the information processors 20 to themonitoring apparatus 100. In the present embodiment, the network 10 doesnot communicatively couple, on a one-to-one basis, two apparatuses, forexample, the information processors 20 and the monitoring apparatus 100,etc. The network 10 in the present embodiment is a bus network in whicha signal output to the network 10 is received by all the apparatusescommunicatively coupled to the network 10. For example, in FIG. 1, whenone of the information processors 20 transmits a signal to the network10, all the other information processors 20 and the monitoring apparatus100 in the network 10 can receive the signal. One example of the network10 is a controller area network (CAN). According to the presentembodiment, in the bus network 10, each information processor 20 outputsa signal to the network 10 in a predetermined cycle. One example of thecycle is 20 milliseconds (ms).

The signal, i.e., data, outputted from each information processor 20 tothe network 10 is also called a message. The data includes an ID,namely, identification information (hereafter, also called a “data ID”),and a payload including instruction content. The destination of data isset in the data ID in advance. Each information processor 20 checks thedata ID of the obtained data to confirm the obtained data is addressedto the information processor 20 itself, and executes an instructionincluded in the payload.

The monitoring apparatus 100 monitors, specifically, continuouslymonitors, data output from each information processor 20 to the network10. The monitoring apparatus 100 determines whether data transmittedthrough the network 10 is normal data or anomalous data. The anomalousdata is data outputted from an information processor 20 that no longerfunctions normally due to an attack received from outside of thein-vehicle network system 1, or data outputted from an informationprocessor, etc. that spoofs another information processor 20. The normaldata is data outputted from an information processor 20 that has notbeen attacked from outside and can function normally.

FIG, 2 is a block diagram illustrating an example of the functionalconfiguration of the monitoring apparatus 100 according to Embodiment 1.As illustrated in FIG. 2, the monitoring apparatus 100 includes anobtaining unit 101, a transmission state monitoring unit 102, atransmission state managing unit 103, an anomaly detection unit 104, anoutput unit 105, and a storage unit 106.

The storage unit 106 enables storage and extraction of various kinds ofinformation. The storage unit 106 is implemented by, for example, asemiconductor memory such as a read only memory (ROM), a random accessmemory (RAM), and a flash memory, or a storage apparatus such as a harddisk drive and a solid state drive (SSD), for example. The storage unit106 stores information about the data outputted from each of theinformation processors 20. Furthermore, the storage unit 106 may store aprogram for operating each structural component in the monitoringapparatus 100.

The obtaining unit 101 obtains, from the network 10, data outputted fromeach information processor 20 to the network 10, and outputs the data tothe transmission state monitoring unit 102 and the anomaly detectionunit 104. The obtaining unit 101 obtains data outputted from all theinformation processors 20 to the network 10.

The transmission state monitoring unit 102 determines a transmissionstate of the data, i.e., a transmission state associated with the dataID of the data, based on the data obtained by the obtaining unit 101.The transmission states to be determined include a transmissionexecution state in which data is transmitted to the network 10, and atransmission stopped state in which transmission of data to the network10 is stopped. The transmission state monitoring unit 102 outputs, tothe transmission state managing unit 103, the determined transmissionstate and a data ID subjected to the determined transmission state.

In the present embodiment, the transmission state monitoring unit 102determines the transmission state of each information processor 20,based on data (hereafter also called “instruction data”) including aninstruction instructing the information processor 20 to execute or stoptransmission of data. The destination of the instruction data is theabove information processor 20 whose transmission state is to bedetermined. The transmission state monitoring unit 102 determines thetransmission state of the information processor 20 that is thedestination of the instruction data in accordance with the instructioncontent included in the instruction data. Once the transmission state ofthe information processor 20 is determined, this enables determinationof the transmission state of the data whose transmission source is theinformation processor 20. One example of the instruction data isdiagnostic data, and is also called a diagnostic message. Examples ofthe instruction content of the diagnostic data include an instructioninstructing the destination information processor 20 to change itsoperation mode to a self diagnostic mode or return from the diagnosticmode to a normal mode, or an instruction instructing the destinationinformation processor 20 to change its operation mode to a reprogrammingmode for changing a program or return from the reprogramming mode to thenormal mode. The information processor 20 stops outputting data, i.e.,transmitting data during the diagnostic mode and the reprogramming mode,and the information processor 20 restarts transmitting data after thediagnostic mode and the reprogramming mode is returned to the normalmode. The transmission state monitoring unit 102 outputs, to thetransmission state managing unit 103, a transmission state determinedbased on the instruction content of the instruction data, and a data IDof the instruction data.

The transmission state managing unit 103 manages the transmission stateof data for each data ID. Based on the transmission state of the datatransmitted from the transmission state monitoring unit 102, thetransmission state managing unit 103 changes, i.e., updates, thetransmission state of the data stored in the storage unit 106. When thetransmission state stored in the storage unit 106 is different from thetransmission state transmitted from the transmission state monitoringunit 102, the transmission state managing unit 103 changes thetransmission state in the storage unit 106 to the transmission statetransmitted from the transmission state monitoring unit 102. Here, thetransmission state monitoring unit 102 and the transmission statemanaging unit 103 are examples of a determination unit.

In the present embodiment, as shown in FIG. 3, the storage unit 106stores, in association with one another, i) each data ID and ii) atransmission state of data having the data ID. FIG. 3 is a table showingan example of the relationships between data IDs and transmission statesaccording to Embodiment 1. FIG. 3 shows data IDs that are associatedwith IDs of information processors 20 that are the transmission sourcesof the data having the data IDs. As shown in FIG. 3, the storage unit106 may store, in association with one another, i) each data ID, ii) anID of the information processor 20 that is the transmission source ofthe data, and iii) the transmission state of the data having the dataID. However, the data IDs and the information processors 20 that are thetransmission sources of the data having the data IDs are associated withone another in advance, for example, when the data IDs are set.Therefore, by checking a data ID, it is possible to specify aninformation processor 20 that is the transmission source of the datahaving the data ID. Thus, as shown in FIG. 4, data IDs may be associatedwith only the transmission states of the data having the data IDs, andstored in the storage unit 106. Note that FIG. 4 is a table showinganother example of the relationships between the data IDs and thetransmission states according to Embodiment 1.

As shown in FIG. 5A and FIG. 5B, the relationships shown in FIG. 3 maybe divided into two tables and stored in the storage unit 106. FIG. 5Aand FIG. 5B illustrates another example of the relationships between thedata IDs and the transmission states according to Embodiment 1.Specifically, as shown in FIG. 5A, the storage unit 106 stores, inassociation with one another, i) data IDs and ii) IDs of the informationprocessors 20 that are the transmission sources of the data having theabove data IDs. Furthermore, as illustrated in FIG. 5B, the storage unit106 stores, in association with one another, i) the data IDs and ii) thetransmission states associated with the data IDs. In this case, thetransmission state managing unit 103 manages the transmission state ofeach of the data IDs by referring to relationships in two tables, suchas the tables shown in FIG. 5A and FIG. 5B.

When the transmission state managing unit 103 obtains a transmissionstate and a data ID of an instruction data from the transmission statemonitoring unit 102, all the data IDs of the data whose transmissionsource is the information processor 20 that is the destination of theinstruction data having the data IDs are specified, and the transmissionstates associated with the specified data IDs are changed to theobtained transmission state. For example, when the destinationassociated with a data ID of the instruction data is the informationprocessor 20 having the ID “001” in FIG. 3, and the obtainedtransmission state is the transmission stopped state, the transmissionstate managing unit 103 changes, as shown in FIG. 6, from thetransmission execution states to the transmission stopped states, allthe transmission states associated with the data IDs “0x013”, “0x103”,and “0x045” whose transmission source is the information processor 20having the ID “001”. Note that FIG. 6 is a table illustrating an exampleof relationships between transmission states and data IDs, in which someof the transmission states are changed from the transmission statesshown in FIG. 3.

Furthermore, when transmission state managing unit 103 obtains aninquiry about the transmission state associated with a data ID from theanomaly detection unit 104, the transmission state managing unit 103obtains the transmission state associated with the data ID and outputsthe transmission state to the anomaly detection unit 104 by referring tothe storage unit 106.

The anomaly detection unit 104 inquires of the managing unit 103 aboutthe transmission state associated with a data ID of each data obtainedfrom the obtaining unit 101. The anomaly detection unit 104 determinespresence or absence of an anomaly in the data having the data ID basedon the obtained transmission state. Specifically, the anomaly detectionunit 104 judges that an anomaly is present in data having the data ID,when the transmission state of the obtained data ID is a transmissionstopped state. The anomaly detection unit 104 judges that the data isnormal, when the transmission state of the obtained data ID is atransmission execution state. The anomaly detection unit 104 outputs thejudgment result to the output unit 105. In the present embodiment, theanomaly detection unit 104 outputs a judgment result that an anomaly ispresent to the output unit 105 and does not output a judgment resultthat the data is normal. However, the present disclosure is not limitedto this. Here, the anomaly detection unit 104 is an example of thejudging unit.

Furthermore, the anomaly detection 104 may directly refer to the storageunit 106 without inquiring of the managing unit 103 about thetransmission state of each data obtained from the obtaining unit 101. Inthis case, the anomaly detection unit 104 may obtain a transmissionstate by referring to the obtained data ID and the relationship betweenthe data ID and the transmission state stored in the storage unit 106.

The output unit 105 outputs the judgment result obtained from theanomaly detection unit 104 to outside of the monitoring apparatus 100.The output unit 105 outputs the judgment result to, for example, aninforming apparatus and a control apparatus that controls and manages aninformation processor 20 that is a transmission source of data havingthe data ID subjected to the judgment result. The informing apparatusand the control apparatus are provided in a vehicle and not illustratedin the drawings. Examples of the informing apparatus include a display,a loudspeaker, a warning light, and a warning buzzer. Examples of thedisplay include a liquid crystal panel, and an organic or inorganic EL(Electroluminescence) panel. The informing apparatus informs a user of ajudgment result. When the judgment result is anomalous, a controlapparatus may stop information processor 20, for example, byintercepting a power supply etc., or may cause a vehicle to stop, etc.

Each of the above-described structural components, such as the obtainingunit 101, the transmission state monitoring unit 102, the anomalydetection unit 104, and output unit 105 in the monitoring apparatus 100may be configured by a computer system (not illustrated) which includes,for example, a processor such as a central processing unit (CPU), adigital signal processor (DSP), etc. and a memory such as a randomaccess memory (RAM), a read-only memory (ROM), etc. Part or all of thefunctions of each of the structural components may be achieved by a CPUor a DSP executing a program recorded on a ROM using a RAM as a workingmemory. In addition, part or all of the functions of each of thestructural components may be achieved by a dedicated hardware circuitsuch as an electronic circuit, an integrated circuit, etc. Part or allof the functions of each of the structural components may be achieved bya combination of the above-described software functions and hardwarecircuit. The program may be provided, as an application, throughcommunications via a communication network such as the Internet,communications according to a mobile communication standard, otherwireless network, wired network, broadcast, etc.

[1-2. Operations of Monitoring Apparatus]

The following describes operations of the monitoring apparatus 100according to Embodiment 1. FIG. 7 is a flowchart of an example of theprocess of the operations of monitoring apparatus 100 according toEmbodiment 1. As illustrated in FIG. 7, in Step S1, obtaining unit 101obtains data outputted to the network 10 from each information processor20 from the network 10.

Next, in Step S2, the obtaining unit 101 judges that the obtained datais regular data other than the instruction data, based on the data ID ofthe data. Note that the relationship among the data IDs, the regulardata, and the instruction data are associated with one another inadvance. Thus, the obtaining unit 101 can judge whether the data havingthe data ID is either regular data or instruction data, by identifyingthe data ID. When the data is regular data (Yes in Step S2), theobtaining unit 101 outputs its data ID to the anomaly detection unit104, and proceeds to Step S3. When the data is instruction data (No inStep S2), the obtaining unit 101 outputs the instruction data to thetransmission state monitoring unit 102, and proceeds to Step S4.

In Step S3, the anomaly detection unit 104 inquires of the transmissionstate managing unit 103 about the data ID of the obtained data, andobtains the transmission state of the data ID. The transmission statemanaging unit 103 obtains the transmission state associated with theobtained data ID by referring to the inquired data ID and therelationships between the data ID and the transmission states stored inthe storage unit 106. Subsequently, the transmission state managing unit103 outputs the obtained transmission state to the anomaly detectionunit 104. Next, in Step S5, the anomaly detection unit 104 determineswhether the data ID inquired in Step S3 is associated with thetransmission stopped state. When the data ID is associated with thetransmission stopped state (Yes in Step S5), the anomaly detection unit104 proceeds to Step S6. When the data ID is associated with thetransmission execution state (No in Step S5), the anomaly detection unit104 returns to Step S1.

In Step S6, the anomaly detection unit 104 judges that an anomaly ispresent in the obtained data. The data obtained in Step S1 is data whosedata ID is in the transmission stopped state. Thus, the data can bejudged to be anomalous data. The anomaly detection unit 104 outputs thejudgment result, that is, an anomaly is present, to the output unit 105.Next, in Step S7, the output unit 105 outputs the judgment result to theoutside of the monitoring apparatus 100, and returns to Step S1.

In Step S4, the transmission state monitoring unit 102 checks thecontents of the payload of the obtained instruction data, and judgewhether the contents include an instruction to stop or restart thetransmission. When such instruction is included (Yes in Step S4), thetransmission state monitoring unit 102 determines that the transmissionstate of the information processor 20 subjected to the instruction datais the transmission stopped state or the transmission execution state.The transmission state monitoring unit 102 outputs, to the transmissionstopped state managing unit 103, i) information about the transmissionstopped state or transmission execution state that is determined, andii) the data ID of the instruction data instructing the abovetransmission stopped state or transmission execution state determined.The process then proceeds to Step S8. When no instruction for stoppingor restarting transmission is included (No in Step S4), the transmissionstate monitoring unit 102 returns to Step S1.

In Step S8, the transmission state managing unit 103 updates thetransmission state of the data ID. Specifically, when the transmissionstate managing unit 103 obtains the information indicating thetransmission stopped state, the transmission state managing unit 103changes some of the transmission states stored in the storage unit 106to the transmission stopped state. The transmission states to be changedare the transmission states associated with the data IDs of data whosetransmission source is the information processor 20 that is thedestination of the instruction data having the data IDs obtainedtogether with the information indicating the transmission stopped state.When the transmission state managing unit 103 obtains the informationindicating the transmission execution state, the transmission statemanaging unit 103 changes all the transmission states that are stored inthe storage unit 106 and that are associated with data IDs of the datawhose transmission source is the information processor 20 that is thedestination of the instruction data having the data ID obtained togetherwith the information indicating the transmission execution state, to thetransmission execution state. After the transmission state is changed,the transmission state managing unit 103 returns to Step S1.

[1-3. Effects, Etc.]

As described above, the monitoring apparatus 100 according to Embodiment1 monitors the data transmitted via the network 10 in mobility. Themonitoring apparatus 100 includes: an obtaining unit 101 configured toobtain data transmitted between information processors 20communicatively coupled to a network 10; transmission state monitoringunit 102 and a transmission state managing unit 103, which are adetermination unit, configured to determine, based on the data obtainedby the obtaining unit 101, the transmission state of the data; and ananomaly detection unit 104, which is a judging unit, configured to judgepresence or absence of an anomaly in the data obtained by the obtainingunit 101, based on a transmission state determined by the transmissionstate monitoring unit 102 and the transmission state managing unit 103.The anomaly detection unit 104 is configured to judge that an anomaly ispresent in the data, when the transmission state of the data is atransmission stopped state.

With the above configuration, the monitoring apparatus 100 determines atransmission state associated with the data based on the datatransmitted in the network 10. When the data whose transmission state isa transmission stopped state is obtained, the monitoring apparatus 100judges that an anomaly is present in the data. Such a monitoringapparatus 100 can detect an anomaly in data, not only when the data isforged with change in the output cycle, but also when the data is forgedwithout changing the output cycle. For example, the monitoring apparatus100 can also detect an anomaly in data under either a camouflage dataattack while authorized data coexists or a camouflage data attack whileauthorized data is suppressed. Therefore, the monitoring apparatus 100makes it possible to improve the detection accuracy of the anomaly ofthe data in the network 10.

Furthermore, in the monitoring apparatus 100 according to Embodiment 1,the transmission state monitoring unit 102 and the transmission statemanaging unit 103 may determine, based on first data obtained by theobtaining unit 101, a transmission state of second data whosetransmission source is a first information processor 20 that is adestination of the first data. Furthermore, the anomaly detection unit104 may judge that an anomaly is present in second data, when thetransmission state of the second data obtained by the obtaining unit 101is the transmission stopped state. According to the above configuration,the monitoring apparatus 100 determines that the transmission state ofthe data transmitted from the first information processor 20 isdetermined based on the first data transmitted to the first informationprocessor 20. In other words, the monitoring apparatus 100 manages atransmission state of data for each information processor 20. Thus, themonitoring apparatus 100 enables highly accurate and simple detection ofan anomaly in data in the network 10.

Furthermore, in the monitoring apparatus 100 according to Embodiment 1,the first data may include an instruction instructing the firstinformation processor 20 to execute or stop transmission of data.Moreover, the transmission state monitoring unit 102 and thetransmission managing unit 103 may determine the transmission executionstate or the transmission stopped state of second data in accordancewith an instruction of the first data. According to the aboveconfiguration, the monitoring apparatus 100 determines that thetransmission state of the data transmitted from the first informationprocessor 20 in accordance with the instruction included in the firstdata. Therefore, the process of determining a transmission state can besimplified.

The monitoring apparatus 100 according to Embodiment 1 may furtherincludes: a storage unit 106 configured to store, in association withone another, i) an information processor 20 communicatively coupled tothe network, ii) data whose transmission source is the informationprocessor 20, and iii) the transmission state of the data whosetransmission source is the information processor 20. The transmissionstate managing unit 103 may change the transmission state stored in thestorage unit 106 using the transmission state determined by thetransmission state monitoring unit 102. The anomaly detection unit 104is configured to perform judgment based on the transmission state storedin the storage unit 106. According to the above configuration, thetransmission state of data is held in the storage unit 106. Since theanomaly detection unit 104 performs judgment using the transmissionstate held in the storage unit 106, the processing by the anomalydetection unit 104 can be simplified.

Embodiment 2

The following describes a monitoring apparatus 200 according toEmbodiment 2. The monitoring apparatus 200 according to Embodiment 2differs from Embodiment 1 in that the transmission state of data isdetermined based on the output cycle of the data. The monitoringapparatus 200 according to Embodiment 2 manages a transmission state foreach data ID, without associating data with information processors 20.The following mainly describes points different from Embodiment 1, andpoints similar to Embodiment 1 are omitted.

[2-1. Configuration of Monitoring Apparatus]

FIG. 8 is a block diagram illustrating one example of the functionalconfiguration of the monitoring apparatus 200 according to Embodiment 2.As illustrated in FIG. 8, the monitoring apparatus 200 includes anobtaining unit 201, a transmission state monitoring unit 202, atransmission state managing unit 203, the anomaly detection unit 104,the output unit 105, the storage unit 106, and a clock unit 207. Sincethe configurations of the anomaly detection unit 104, the output unit105, and the storage unit 106 are the same as those in Embodiment 1, thedetailed description is omitted.

The clock unit 207 includes an apparatus that measures elapsed time,such as a timer or a clock. The clock unit 207 measures, for each dataID, a time elapsed from a time at which data having an associated dataID is obtained by the obtaining unit 201. The clock unit 207 outputs, tothe transmission state monitoring unit 202, the measurement resultassociated with the data ID. During the measurement, when new datahaving the data ID is obtained, the clock unit 207 resets the elapsedtime to zero, and starts new measurement. Furthermore, the elapsed timein which data having the associated ID cannot be obtained reaches apredetermined period with respect to each data ID, the clock unit 207detects the state as a timeout state. The clock unit 207 outputs themeasurement result to the transmission state monitoring unit 202, inassociation with the data ID and the information indicating the timeoutstate.

The obtaining unit 201 obtains, from the network 10, data outputted fromeach information processor 20 to the network 10, and outputs the data tothe transmission state monitoring unit 202, and the anomaly detectionunit 104, and the clock unit 207. The obtaining unit 201 outputs both ofthe instruction data and the regular data to the transmission statemonitoring unit 202, the anomaly detection unit 104, and the clock unit207.

Transmission state monitoring unit 202 determines, for each data ID thatis obtainable by the obtaining unit 201, a transmission state associatedwith the data ID obtained by the obtaining unit 201 based on an elapsedtime corresponding to the data ID measured by the clock unit 207.Specifically, the transmission state monitoring unit 202 monitors, foreach data ID, whether data having an associated data ID is periodicallyoutputted to the network 10 from the information processor 20. Note thatthe information processor 20 outputs the data having the data IDassigned to the data in a predetermined cycle. The transmission statemonitoring unit 202 determines that the transmission state correspondingto the data ID is a transmission stopped state, when the data having thedata ID is not obtained for equal to or more than a predeterminedperiod, specifically, when the information indicating the data ID is ina timeout state is obtained from the clock unit 207. When the datahaving the data ID is obtained in a period less than the predeterminedperiod, specifically, when the data having the data ID is obtained fromthe clock unit 207 without information indicating that the data havingthe data ID is in a timeout state, the transmission state monitoringunit 202 determines that the transmission state associated with the dataID is a transmission execution state. The transmission state monitoringunit 202 outputs, to the transmission state managing unit 203, thedetermined transmission state and a data ID which is subjected to thedetermined transmission state.

The predetermined period is a period longer than an output cycle of aninformation processor 20 outputting data having the data ID. An outputcycle is set for each data ID. For example, the predetermined period maybe an N cycle (N≥2). When N=10 and the output cycle is 40 ms, thepredetermined period is 400 ms.

The transmission state managing unit 203 manages the transmission stateof data for each data ID. The transmission state managing unit 203updates the transmission state of the data ID stored in the storage unit106 based on the transmission state of the data ID transmitted from thetransmission state monitoring unit 202. In the present embodiment, asshown in FIG. 9, each data ID is associated with a transmission statecorresponding to the data ID, and stored in the storage unit 106. FIG. 9is a table illustrating one example of the relationships between dataIDs and transmission states according to Embodiment 2. When thetransmission state managing unit 203 obtains a transmission state and adata ID from the transmission state monitoring unit 202, thetransmission state managing unit 203 changes the transmission stateassociated with the data ID to the obtained transmission state.Furthermore, when the transmission state managing unit 203 receives aninquiry about a transmission state of a data ID from the anomalydetection unit 104, the transmission state managing unit 203 obtains thetransmission state associated with the data ID by referring to thestorage unit 106, and outputs the transmission state associated with thedata ID to the anomaly detection unit 104.

The anomaly detection unit 104 inquires of the transmission statemanaging unit 203 about a transmission state associated with a data IDwith respect to each data obtained from the obtaining unit 201. Then,the anomaly detection unit 104 judges presence or absence of an anomalyin the data having the data ID, based on the transmission state obtainedfrom the transmission state managing unit 203. When the transmissionstate associated with the obtained data ID is the transmission stoppedstate, the anomaly detection unit 104 judges that an anomaly is presentin the data having the obtained data ID. When the transmission stateassociated with the obtained data ID is the transmission executionstate, the anomaly detection unit 104 judges that the data having thedata ID is normal. Note that the anomaly detection unit 104 may directlyobtain the transmission state for a data ID from the storage unit 106without inquiring of the transmission managing unit 203 about thetransmission state of each data obtained from the obtaining unit 201.

[2-2. Operations of Monitoring Apparatus]

The following describes operations of the monitoring apparatus 200according to Embodiment 2. FIG. 10 is a flowchart of one example of theprocess of the operations of monitoring apparatus 200 according toEmbodiment 2. Note that FIG. 10 shows the operations of the monitoringapparatus 200 for data outputted from one information processor 20.

As shown in FIG. 10, in Step S21, the obtaining unit 201 or the clockunit 207 obtains data from the information processor 20 or detects atimeout state, and the detected result is outputted to the transmissionstate monitoring unit 202. Specifically, when the obtaining unit 201obtains, from the network 10, data outputted from the informationprocessor 20 to the network 10, the obtained data is transmitted to thetransmission state managing unit 202. Accordingly, the data ID of theobtained data is also outputted to the transmission state monitoringunit 202. Alternatively, when the timeout state of the data having thedata ID which is supposed to be cyclically outputted from theinformation processor 20 to the network 10 is detected, the clock unit207 associates the data ID with the information indicating the timeoutstate and outputs it to the transmission state monitoring unit 202.

Next, in Step S22, the transmission state monitoring unit 202 judgeswhether the data ID matches the data ID of the obtained data. When thedata ID is associated with the obtained data (Yes in Step S22), thetransmission state monitoring unit 202 proceeds to Step S23. When thedata ID is not associated with the obtained data, i.e., the data ID isassociated with the timeout state (No in Step S22), the transmissionstate monitoring unit 202 determines that the transmission state of thedata ID is the transmission stopped state. Furthermore, the transmissionstate monitoring unit 202 outputs, to the transmission state managingunit 203, i) information indicating the transmission stopped state, andii) an data ID subjected to the transmission stopped state. Thetransmission state monitoring unit 202 then proceeds to Step S24.

In Step S24, the transmission state managing unit 203 updates thetransmission state associated with the data ID. Specifically, thetransmission state managing unit 203 changes the transmission state thatis stored in the storage unit 106 and that is associated with the dataID subjected to the obtained information indicating the transmissionstopped state, to the transmission stopped state. Subsequently, thetransmission state managing unit 203 returns to Step S21.

In Step S23, the anomaly detection unit 104 judges whether the datahaving the data ID obtained in Step S22 is in the transmission stoppedstate. When the data having the data ID is in the transmission stoppedstate (Yes in Step S23), the anomaly detection unit 104 proceeds to StepS25. When the data having the data ID is in the transmission executionstate (No in Step S23), the anomaly detection unit 104 returns to StepS21.

In Step S25, the anomaly detection unit 104 judges that an anomaly ispresent in the data having the obtained data ID. The anomaly detectionunit 104 outputs the judgment result indicating an anomaly is present inthe data to the output unit 105. Next, in Step S26, the output unit 105outputs the judgment result to the outside of the monitoring apparatus200, and returns to Step S21.

[2-3. Effects, Etc.]

Since the other configurations and operations of the monitoringapparatus 200 according to Embodiment 2 are the same as those ofEmbodiment 1, the description thereof is omitted. With the monitoringapparatus 200 according to Embodiment 2, similar effects as inEmbodiment 1 can be obtained.

Furthermore, in the monitoring apparatus 200 according to Embodiment 2,the obtaining unit 201 obtains third data cyclically outputted by aninformation processor 20 communicatively coupled to the network. Whenthe third data is not obtained by the obtaining unit 201 for apredetermined period, the transmission state monitoring unit 202 maydetermine that a transmission state of the third data is thetransmission stopped state. When the transmission state of the thirddata obtained by the obtaining unit 201 is the transmission stoppedstate, the anomaly detection unit 104 may judge that an anomaly ispresent in the third data.

With the above configuration, when the third data is not obtained by theobtaining unit 201 for a predetermined period, the third data can beconsidered as being in the transmission stopped state. The monitoringapparatus 200 judges that an anomaly is present in the third data, whensuch third data whose transmission state is the transmission stoppedstate is obtained. The monitoring apparatus 200 can detect an anomaly indata, not only when the data is forged with change in the output cycle,but also when the data is forged without change in the output cycle.

Furthermore, the monitoring apparatus 200 according to Embodiment 2 mayfurther includes: a storage unit 106 that stores, in association withone another, i) the data transmitted between a plurality of informationprocessors 20 communicatively coupled to the network and ii) thetransmission state of the data transmitted between the informationprocessors 20. The transmission state managing unit 203 may change thetransmission state stored in the storage unit 106 using the transmissionstate determined by the transmission monitoring unit 202. The anomalydetection unit 104 may perform judgment based on the transmission statestored in the storage unit 106. With the above configuration, thetransmission state associated with data is held in the storage unit 106.Since the anomaly detection unit 104 performs judgment using thetransmission state held in the storage unit 106, the processing by theanomaly detection unit 104 can be simplified.

Embodiment 3

The following describes a monitoring apparatus 300 according toEmbodiment 3. Similar to Embodiment 2, the monitoring apparatus 300according to Embodiment 3 determines a transmission state of data basedon the output cycle of the data. However, the monitoring apparatus 300according to Embodiment 3 differs from the monitoring apparatus 200according to Embodiment 2 in that the monitoring apparatus 300 manages atransmission state for each data ID in association with the data andeach information processor 20. The following mainly describes pointsdifferent from Embodiments 1 and 2, and points similar to Embodiments 1and 2 are omitted.

FIG. 11 is a block diagram illustrating an example of the functionalconfiguration of the monitoring apparatus 300 according to Embodiment 3.As illustrated in FIG. 11, the monitoring apparatus 300 includes theobtaining unit 201, the transmission state monitoring unit 202, atransmission state managing unit 303, the anomaly detection unit 104,the output unit 105, the storage unit 106, and the clock unit 207. Sincethe configurations of the obtaining unit 201, transmission statemonitoring unit 202, the anomaly detection unit 104, the output unit105, the storage unit 106, and the clock unit 207 are the same as theconfigurations in Embodiment 2, the detailed description is omitted.

The transmission state managing unit 303 performs processing similar tothe processing of the transmission state managing unit 103 inEmbodiment 1. Specifically, based on the transmission state of the dataID transmitted from the transmission state monitoring unit 202, thetransmission state managing unit 303 updates the transmission state ofthe data ID stored in the storage unit 106. In the present embodiment,as shown in FIG. 3, the storage unit 106 stores, in association with oneanother, i) each data ID, ii) an ID of an information processor 20 thatis a transmission source of the data, and iii) the data transmissionstate associated with the data ID.

When the transmission state managing unit 303 obtains, from thetransmission monitoring unit 202, a transmission state and a data IDwhich is subjected to the obtained transmission state, the transmissionstates of all the data whose transmission source is the informationprocessor 20 which is the transmission source of the data having theobtained data ID are changed to the obtained transmission state. Notethat in the present embodiment, the transmission state managing unit 303changes the transmission state associated with the data ID, when theobtained transmission state is the transmission stopped state. When theobtained transmission state is the transmission execution state, thetransmission state managing unit 303 maintains the transmission stateassociated with the data ID as it is, and does not change thetransmission state. However, the present disclosure is not limited tothis. The transmission state associated with the data ID may be changedalso in the latter case.

The anomaly detection unit 104 inquires of the transmission statemanaging unit 303 about the transmission state associated with the dataID of the data obtained from the obtaining unit 201, and judges presenceor absence of an anomaly in the data having the data ID based on thetransmission state obtained from the transmission state managing unit303. Note that the anomaly detection unit 104 may directly obtain thetransmission state associated with a data ID from the storage unit 105without inquiring of the managing unit 303 about the transmission stateassociated with the data ID.

Since the other configurations and operations of the monitoringapparatus 300 according to Embodiment 3 are the same as those ofEmbodiment 1 or 2, the descriptions thereof are omitted. With themonitoring apparatus 300 according to Embodiment 3, similar effects asin Embodiment 2 can be obtained. Furthermore, in the monitoringapparatus 300 according to Embodiment 3, when data is not obtained bythe obtaining unit 201 for a predetermined period, the transmissionstate monitoring unit 202 and the transmission state managing unit 303may determine that a transmission state of fourth data is thetransmission stopped state, the fourth data being other data whosetransmission source is the information processor 20 associated with thedata that is not obtained for the predetermined period. When thetransmission state of the fourth data obtained by the obtaining unit 201is the transmission stopped state, the anomaly detection unit 104 mayjudge that an anomaly is present in the fourth data. According to theabove aspect, the electronic control apparatus 300 determines atransmission state of data that is possibly outputted by the informationprocessor 20, based on the third data transmitted by the informationprocessor 20. The monitoring apparatus 300 manages the transmissionstates of data for each information processor 20. Thus, the monitoringapparatus 300 can perform highly accurate and simple detection of ananomaly in data in the network 10.

Embodiment 4

The following describes a monitoring apparatus 400 according toEmbodiment 4. The monitoring apparatus 400 according to Embodiment 4differs from Embodiments 1 to 3 in that the transmission state of datais determined based on the contents of instruction in the instructiondata and the output cycle of the data. The monitoring apparatus 400according to Embodiment 4 manages a transmission state for each data IDin association with the data and each information processor 20. Thefollowing mainly describes points different from Embodiments 1 to 3, andpoints similar to Embodiments 1 to 3 are omitted.

FIG. 12 is a block diagram illustrating an example of the functionalconfiguration of the monitoring apparatus 400 according to Embodiment 4.As illustrated in FIG. 12, the monitoring apparatus 400 includes theobtaining unit 201, a transmission state monitoring unit 402, atransmission state managing unit 403, an anomaly detection unit 404, theoutput unit 105, the storage unit 106, and the clock unit 207. Since theconfigurations of the obtaining unit 201, output unit 105, the storageunit 106 and the clock unit 207 are the same as the configurations inEmbodiment 2, the detailed description is omitted.

The obtaining unit 201 obtains, from the network 10, both instructiondata and regular data outputted from each information processor 20 tothe network 10, and outputs the data to the transmission statemonitoring unit 402, the anomaly detection unit 404, and the clock unit207.

Similar to Embodiment 3, the transmission state monitoring unit 402determines, for each data ID that is obtainable by the obtaining unit201, a transmission state associated with the data ID based on anelapsed time corresponding to the data ID measured by the clock unit207. The transmission state monitoring unit 402 determines that thetransmission state associated with the data ID is the transmissionstopped state, when the data having the data ID is not obtained forequal to or more than a predetermined period, specifically, when theinformation indicating its data ID is in a timeout state is obtainedfrom the clock unit 207. Moreover, the transmission state monitoringunit 202 determines the transmission state associated with the data IDto be the transmission execution state, when the data having data ID isobtained in a period less than the predetermined period. In thefollowing, the contents of the decision that has been made by thetransmission state monitoring unit 402 based on such a predeterminedperiod is called a “first decision”.

Furthermore, similar to Embodiment 1, when the transmission statemonitoring unit 402 obtains instruction data from the obtaining unit201, the transmission state monitoring unit 402 determines thetransmission state of the information processor 20 that is thedestination of the instruction data, in accordance with the instructionincluded in the instruction data. In the following, the content of thedecision that has been made by the transmission state monitoring unit402 based on such instruction data is called a “second decision”. Thetransmission state monitoring unit 402 outputs, in association with oneanother, i) the first decision or the second decision, and ii) a data IDsubjected to the determined decision, to the transmission state managingunit 403.

When the transmission state managing unit 403 obtains the firstdecision, the transmission state managing unit 403 performs similarprocessing performed by the transmission state managing unit 303 inEmbodiment 3. When the transmission state managing unit 403 obtains thesecond decision, the transmission state managing unit 403 performssimilar processing performed by the transmission state managing unit 103in Embodiment 1. Note that the storage unit 106 stores, in associationwith one another, i) each data ID, ii) an ID of an information processor20 that is a transmission source of the data having the data ID, andiii) the data transmission state associated with the data ID, as shownin FIG. 3, for example.

Specifically, the transmission state managing unit 403 updates thetransmission state stored in the storage unit 106 based on thetransmission state included in the obtained decision in both cases wherethe first decision is obtained and where the second decision isobtained. Specifically, when the transmission state managing unit 403obtains the first decision including the transmission execution state,the transmission state managing unit 403 maintains, as they are, thetransmission states associated with the all data IDs of data whosetransmission source is the information processor 20 that is thetransmission source of the data ID subjected to the first decision. Whenthe transmission state managing unit 403 obtains the first decisionincluding the transmission stopped state, the transmission statemanaging unit 403 changes the transmission states to the transmissionstopped states for the all data IDs of data whose transmission source isthe information processor 20 that is the transmission source of the datahaving the data ID subjected to the first decision.

Furthermore, when the transmission state managing unit 403 obtains thesecond decision including the transmission stopped state, thetransmission state managing unit 403 changes the transmission states tothe transmission stopped states for the all data IDs of data whosetransmission source is the information processor 20 that is adestination of the instruction data having the data ID subjected to thesecond decision. Furthermore, when the transmission state managing unit403 obtains the second decision including the transmission executionstate, the transmission state managing unit 403 changes the transmissionstates to the transmission execution states for the all data IDs of datawhose transmission source is the information processor 20 that is adestination of the instruction data having the data ID subjected to thesecond decision.

The anomaly detection unit 404 inquires of the transmission statemanaging unit 403 about a transmission state associated with the data IDfor each of the data obtained from the obtaining unit 201, and judgespresence or absence of an anomaly in the data having the data ID basedon the transmission state obtained from the transmission state managingunit 403. Here, the transmission state managing unit 403 that hasreceived the inquiry about the data ID obtains the transmission stateassociated with the data ID by referring to the relationships stored instorage unit 106, for example, the relationships shown in FIG. 3.Subsequently, the transmission state managing unit 403 outputs thetransmission state to the anomaly detection unit 404. Note that theanomaly detection unit 404 may directly obtain the transmission stateassociated with a data ID from the storage unit 106 without inquiring ofthe managing unit 403 about the transmission state.

Since the other configurations and operations of the monitoringapparatus 400 according to Embodiment 4 are the same as that ofEmbodiments 1 to 3, the description thereof is omitted. With themonitoring apparatus 400 according to Embodiment 4, similar effects asin Embodiments 1 and 3 can be obtained.

Furthermore, in the monitoring apparatus 400 according to Embodiment 4,when data is not obtained by the obtaining unit 201 for a predeterminedperiod, the transmission state monitoring unit 402 and the transmissionstate managing unit 403 may determine that a transmission state offourth data is the transmission stopped state, the fourth data beingdata whose transmission source is the information processor 20associated with the data that is not obtained for the predeterminedperiod. Moreover, when the transmission state of the fourth dataobtained by the obtaining unit 201 is the transmission stopped state,the anomaly detection unit 404 may judge that an anomaly is present inthe fourth data. Moreover, the transmission state monitoring unit 402and the transmission state managing unit 403 may determine that thetransmission state of sixth data whose transmission source is aninformation processor 20 is a transmission execution state or thetransmission stopped state in accordance with an instruction included infifth data which is obtained by the obtaining unit 201 and whosedestination is the above information processor 20. Note that the fifthdata may include the instruction instructing the information processor20 to execute or stop transmission of data. When the transmission stateof the sixth data is obtained by the obtaining unit 201 and thetransmission state of the sixth data is the transmission stopped state,the anomaly detection unit 404 may judge that an anomaly is present inthe sixth data.

With the above configuration, the monitoring apparatus 400 determinesthat data is in the transmission stopped state in both cases where thedata is not obtained by the obtaining unit 201 for a predeterminedperiod and where the data including an instruction for stoppingtransmission is obtained. The monitoring apparatus 400 then judgespresence or absence of an anomaly in the data obtained by the obtainingunit 201 based on the transmission stopped state determined in the abovemanner. Thus, the monitoring apparatus 400 makes it possible to improvethe detection accuracy of an anomaly in data.

Other Variations

Although the monitoring apparatus, etc. according to one or more aspectsof the present disclosure have been described based on the embodiments,the present disclosure is not limited to the above embodiments. Otherforms in which various modifications apparent to those skilled in theart are applied to the embodiments and variations, or forms structuredby combining structural components of different embodiments andvariations may be included within the scope of one or more aspects ofthe present disclosure, unless such changes and variations depart fromthe scope of the present disclosure.

For example, in the monitoring apparatus according to the embodiments,the network 10 to which the monitoring apparatus is communicativelycoupled includes one bus, and a plurality of information processors 20are connected to the bus. However, the present disclosure is not limitedto this configuration. The network to which the monitoring apparatus iscommunicatively coupled may be a bus network including a plurality ofbuses. In this case, one monitoring apparatus may be communicativelyconnected to a plurality of buses and may monitor the plurality of busescollectively. The obtaining unit of the monitoring apparatus may obtaindata from the plurality of buses. With such a configuration, the numberof monitoring apparatuses can be reduced, and thus the cost can also bereduced.

Alternatively, a plurality of monitoring apparatuses may be provided fora plurality of buses, and the obtaining unit in each of the monitoringapparatuses may obtain data from a corresponding one of the buses. Forexample, when the plurality of buses are communicatively coupled to oneanother via a relay apparatus such as a gateway, providing onemonitoring apparatus for each bus enables the monitoring apparatus tomonitor the bus while interference with processing of the relayapparatus is suppressed. In other words, this allows reliable monitoringof each bus.

The monitoring apparatus according to one or more embodiments abovedetermines that data is in the transmission stopped state wheninstruction to stop transmission of data is included in instructiondata, and when data is not obtained for a predetermined period. However,the present disclosure is not limited to this example. For example, whena power supply of an information processor 20 communicatively coupled tothe network is in an ON state, the transmission state monitoring unit ofthe monitoring apparatus may determine that data whose transmissionsource is the information processor 20 is in a transmission executionstate, and when the power supply of the information processor 20 is inan OFF state, the transmission state monitoring unit may determine thatthe data whose transmission source is the information processor 20 is inthe transmission stopped state. With the above configuration, the numberof cases where the transmission state is correctly determined to be thetransmission stopped state increases, and thus the monitoring apparatuscan improve the detection accuracy of an anomaly in data. For example,when the network to which the monitoring apparatus is communicativelycoupled is an in-vehicle network, the above information processor 20 mayoperate by an ignition switch of a vehicle. Such a monitoring apparatusmay determine the transmission state of information processor 20 to bethe transmission stopped state or the transmission execution state, whenthe change of the ignition switch is detected, such as when the ignitionswitch is switched from an ON state to an OFF state, or switched fromthe OFF state to an ON state.

Moreover, the monitoring apparatus according to one or more embodimentsabove is not limited to the configuration in which the monitoringapparatus is communicatively coupled to a network as a dedicatedmonitoring apparatus. The monitoring apparatus may be mounted as anextra feature in the information processor that has already beeninstalled in the network, or in a relay apparatus such as a gateway.When the monitoring apparatus is mounted in a relay apparatus, the relayapparatus may be configured such that the monitoring apparatus stopstransferring a data ID for which an anomaly is detected. This preventsanomalous data from spreading to other networks communicatively coupledto the relay apparatus.

Moreover, the monitoring apparatus according to one or more embodimentsabove may also include an authentication unit that authenticatesvalidity of data itself, as illustrated in FIG. 13. The monitoringapparatus may determine the transmission state using obtained data, onlywhen the validity of the obtained data is confirmed. Note that FIG. 13is a block diagram illustrating an example of the functionalconfiguration of a monitoring apparatus 500 according to a variation ofEmbodiment 1. In the present variation, an authentication unit 508 inthe monitoring apparatus 500 authenticates the validity of instructiondata. In this case, instruction data includes an authorization code,such as a message authentication code (MAC). The authentication unit 508authenticates the validity of instruction data by verifying anauthorization code of instruction data. The transmission statemonitoring unit 102 determines the transmission state of data subjectedto the instruction data, in accordance with the instruction oftransmission state included in valid instruction data, and does notfollow an instruction of transmission state included in invalidinstruction data. Note that the authentication result of theauthentication unit 508 does not need to be used by the transmissionstate monitoring unit 102, and may be used by the anomaly detection unit104 in judging an anomaly. As in Embodiments 2 to 4, when a transmissionstopped state is determined based on an interval between obtaining data,the transmission state monitoring unit may determine the transmissionstopped state based on only an interval between obtaining valid data.

Although the monitoring apparatus according to one or more embodimentsabove manages the transmission state of each data ID using therelationship in which each data ID stored in the storage unit 106 isassociated with its transmission state. However, the present disclosureis not limited to this configuration. For example, the monitoringapparatus may manage the transmission state of each data using therelationship in which data content and its transmission state areassociated with one another.

Moreover, the monitoring apparatus according to one or more embodimentsabove is communicatively coupled to a bus network such as CAN, but thepresent disclosure is not limited to this. The monitoring apparatus maybe communicatively coupled to a network of other standards, such asEthernet (registered trademark), Media Oriented System Transport (MOST),Local Interconnect Network (LIN), and FlexRay, and monitor the networkthat is communicatively coupled.

As described above, the technique according to the present disclosuremay be implemented using a system, an apparatus, a method, an integratedcircuit, a computer program, or a computer-readable recording mediumsuch as a recording disk, or any combination of systems, apparatuses,methods, integrated circuits, computer programs, or computer-readablerecording media. The computer-readable recording medium includes, forexample, a non-volatile recording medium such as a compact disc-readonly memory (CD-ROM).

For example, each of the processing units included in the foregoingembodiments and variations are typically implemented as a large scaleintegration (LSI) which is an integrated circuit. These processing unitsmay be individually configured as single chips, or may be configured sothat part or all of the processing units are included in a single chip.

Moreover, the method of circuit integration is not limited to LSI.Integration may be implemented with a dedicated circuit or a generalpurpose processor. After the LSI circuit is manufactured, a fieldprogrammable gate array (FPGA) or a reconfigurable processor capable ofreconfiguring the connections and settings of the circuit cells in thelarge scale integrated circuit may be used.

Note that in the above embodiments, all or some of the elements may beconfigured as a dedicated hardware, or may be implemented by executing asoftware program suitable for each structural component. Each structuralcomponent may be implemented as a result of a program execution unit ofa central processing unit (CPU) or processor or the like reading andexecuting a software program stored on a storage medium such as a harddisk or semiconductor memory.

A portion or all of the structural components described above may eachbe configured as an integrated circuit (IC) card that is detachablyattached to each apparatus, or as a stand-alone module. The IC card andthe module are computer systems including a microprocessor, ROM, andRAM, for example. The IC card and the module may also include the LSIdescribed above or system LSI. The IC card or the module achieves itsfunction as a result of the microprocessor operating in accordance witha computer program. The IC card and the module may be tamperproof.

The technique according to the present disclosure may be implemented bythe following monitoring method, for example. The monitoring methodaccording to the present disclosure may be implemented by a processorsuch as a micro processing unit (MPU) and CPU, a circuit such as an LSI,an IC card or a stand-alone module, etc. Such a monitoring methodincludes: obtaining data transmitted via a network in mobility;determining, based on the data obtained, a transmission state of thedata; and judging presence or absence of an anomaly in the data obtainedbased on the transmission state determined, and in the judging, judgingthat an anomaly is present in the data, when the transmission state ofthe data is a transmission stopped state.

In addition, the technique according to the present disclosure may beimplemented by a software program or a digital signal including asoftware program, or a non-transitory computer-readable recording mediumhaving a program recorded thereon. It should be understood that theabove-described program can be distributed via a transmission mediumsuch as the Internet. Such a program may cause a computer to execute:obtaining data transmitted via a network in mobility; determining, basedon the data obtained, a transmission state of the data; and judgingpresence or absence of an anomaly in the data obtained based on thetransmission state determined, and in the judging, judging that ananomaly is present in the data, when the transmission state of the datais a transmission stopped state.

Moreover, each of the numerals such as ordinal numbers and numericalquantities used in the above description is used for exemplification tospecifically describe the technique of the present disclosure, and thepresent disclosure is not limited by the numerals used forexemplification. In addition, the relation of connection between thestructural components is used for exemplification to specificallydescribe the technique of the present disclosure, and the relation ofconnection which implements the functions of the present disclosure isnot limited to this.

Furthermore, the division of the functional blocks illustrated in theblock diagrams has been presented as one example. Accordingly, aplurality of functional blocks may be implemented as one functionalblock, or one functional block may be divided into a plurality offunctional blocks or a portion of the functions may be transferred toanother functional block. In addition, functions of a plurality offunctional blocks having similar functions may be processed by singlehardware or software in parallel or in time division.

Although only some exemplary embodiments of the present disclosure havebeen described in detail above, those skilled in the art will readilyappreciate that many modifications are possible in the exemplaryembodiments without materially departing from the novel teachings andadvantages of the present disclosure. Accordingly, all suchmodifications are intended to be included within the scope of thepresent disclosure.

INDUSTRIAL APPLICABILITY

The technique according to the present disclosure is useful inmonitoring a network.

1. An electronic control apparatus, comprising: an obtaining unitconfigured to obtain data transmitted via a network in a system; and ajudging unit configured to judge presence or absence of an anomaly inthe data obtained by the obtaining unit, based on a transmission stateof the data, wherein the judging unit is configured to judge that ananomaly is present in the data, when the transmission state of the datais a transmission stopped state.
 2. The electronic control apparatusaccording to claim 1, further comprising: a determination unitconfigured to determine, based on the data obtained by the obtainingunit, the transmission state of the data.
 3. The electronic controlapparatus according to claim 2, wherein the determination unit isconfigured to determine, based on first data obtained by the obtainingunit, a transmission state of second data whose transmission source isan information processor that is a destination of the first data, andthe judging unit is configured to judge that an anomaly is present inthe second data, when the transmission state of the second data obtainedby the obtaining unit is the transmission stopped state.
 4. Theelectronic control apparatus according to claim 3, wherein the firstdata includes an instruction instructing the information processor toexecute or stop transmission of data, and the determination unit isconfigured to determine that the transmission state of the second datais a transmission execution state or the transmission stopped state inaccordance with the instruction included in the first data.
 5. Theelectronic control apparatus according to claim 2, wherein when thirddata cyclically outputted by an information processor communicativelycoupled to the network is not obtained for a predetermined period, thedetermination unit is configured to determine that a transmission stateof the third data is the transmission stopped state; and when thetransmission state of the third data obtained by the obtaining unit isthe transmission stopped state, the judging unit is configured to judgethat an anomaly is present in the third data.
 6. The electronic controlapparatus according to claim 2, wherein when third data cyclicallyoutputted by an information processor communicatively coupled to thenetwork is not obtained for a predetermined period, the determinationunit is configured to determine that a transmission state of fourth datais the transmission stopped state, the fourth data being different fromthe third data whose transmission source is the information processor,and when the transmission state of the fourth data obtained by theobtaining unit is the transmission stopped state, the judging unit isconfigured to judge that an anomaly is present in the fourth data. 7.The electronic control apparatus according to claim 6, wherein thedetermination unit is configured to determine that the transmissionstate of the fourth data is a transmission execution state or thetransmission stopped state in accordance with an instruction included infifth data whose destination is the information processor, the fifthdata includes the instruction instructing the information processor toexecute or stop transmission of data, and when the transmission state ofthe fourth data obtained by the obtaining unit is the transmissionstopped state, the judging unit is configured to judge that an anomalyis present in the fourth data.
 8. The electronic control apparatusaccording to claim 2, further comprising: a storage unit configured tostore, in association with one another, i) an information processorcommunicatively coupled to the network, ii) data whose transmissionsource is the information processor, and iii) the transmission state ofthe data whose transmission source is the information processor, whereinthe determination unit is configured to change the transmission statestored in the storage unit using the transmission state determined bythe determination unit, and the judging unit is configured to performjudgment based on the transmission state stored in the storage unit. 9.The electronic control apparatus according to claim 2, furthercomprising: a storage unit that stores, in association with one another,i) the data transmitted between a plurality of information processorscommunicatively coupled to the network and ii) the transmission state ofthe data, wherein the determination unit is configured to change thetransmission state stored in the storage unit using the transmissionstate determined by the determination unit, and the judging unit isconfigured to perform judgment based on the transmission state stored inthe storage unit.
 10. The electronic control apparatus according toclaim 2, wherein when a power supply of an information processorcommunicatively coupled to the network is in an ON state, thedetermination unit is configured to determine that data whosetransmission source is the information processor is in a transmissionexecution state, and when the power supply of the information processoris in an OFF state, the determination unit is configured to determinethat the data whose transmission source is the information processor isin the transmission stopped state.
 11. The electronic control apparatusaccording to claim 2, wherein when a state of an information processoris a diagnostic mode or a program updating mode, the determination unitis configured to determine that data whose transmission source is theinformation processor is in the transmission stopped state.
 12. Theelectronic control apparatus according to claim 1, wherein the networkis a bus network including a plurality of buses, the electronic controlapparatus is provided for a plurality of buses, and the obtaining unitof the electronic control apparatus is configured to obtain data fromthe plurality of buses.
 13. The electronic control apparatus accordingto claim 1, wherein the network is a bus network including a pluralityof buses, a plurality of electronic control apparatuses are provided forthe plurality of buses, the plurality of electronic control apparatuseseach being the electronic control apparatus, and the obtaining unit ineach of the plurality of the electronic control apparatuses isconfigured to obtain data from each of the plurality of buses.
 14. Amonitoring method performed by an electronic control apparatus, themonitoring method comprising: obtaining data transmitted via a networkin a system; and judging that an anomaly is present in the dataobtained, when a transmission state of the data is a transmissionstopped state.
 15. A non-transitory computer-readable recording mediumfor use in a computer, the non-transitory computer-readable recordingmedium having a computer program recorded thereon for causing thecomputer to execute: obtaining data transmitted via a network in asystem; and judging that an anomaly is present in the data obtained,when a transmission state of the data is a transmission stopped state.16. A gateway apparatus, comprising: an obtaining unit configured toobtain data transmitted via a network in a system; a judging unitconfigured to judge that an anomaly is present in the data obtained bythe obtaining unit, when a transmission state of the data is atransmission stopped state; and a transfer unit configured to stoptransferring the data, when the judging unit judges that the anomaly ispresent in the data.